Cybersecurity and ESG - a perfect fit
The reason for this? Cyberattacks today are front-page news. Mazars’ C-suite Barometer 2021 shows that most leaders believe cyber risks have increased over the past year and more than a third (35%) expect a significant breach within the next year.
High-profile attacks have helped catapult cybersecurity to the top of the C-suite to-do list. Elsewhere, they have triggered concern among consumers about potential cyber vulnerabilities among the organisations that manage and process their data. Business shareholders mirror that concern, ever mindful of the financial, legal and reputational consequences of a data breach.
“We know that investors and stakeholders are now demanding more transparency in relation to cybersecurity – it can influence investment decisions from key investors,” confirms Mazars’ Head of Cyber Advisory, Anton Yunussov.
As such, stakeholders are demanding more transparency into organisations’ cyber behaviour and risks.
Significantly, cybersecurity can be applied across all aspects of ESG reporting.
“Companies in the critical national infrastructure sector have to protect their assets from cyberattacks to stop environmental disasters, such as waste or oil spillage,” explains Yunussov. “In terms of social considerations, companies collect a lot of personal data and have a responsibility to protect that data from being disclosed to unauthorised individuals, stolen or misused.
“Finally, the governance aspect for cyber is critical. Traditionally, cyber has been viewed as a technology issue. But it is increasingly viewed as a business issue. As such, Boards and senior executives have a responsibility to make sure cyber defences are robust to protect assets such as personal data and intellectual property.”
Increasingly, cybercriminals are targeting organisations’ third-party suppliers, partners and systems to gain access to sensitive data.
“We’ve seen cases in the media where supply chains have been hit. It doesn’t just affect one, it affects multiple companies. It affects how they are operating as a business because they rely on multiple suppliers,” says Sandeep Sharma, Director of Cyber Security at Mazars.
As such, more companies are seeking assurances from their supply chain regarding their cyber controls. Here again, transparency is key for customers and investors. If a company fails to offer up any information as to their cyber controls or demonstrate cyber preparedness, it could easily lead investors to pull out.
“If you’re onboarding a new supplier, you want to make sure they’re safeguarding their data, have got protections in place, and know what they’re doing around cybersecurity,” says Sharma.
However, it is important to find a balance. While organisations should be sharing information externally as part of ESG reporting, they must still ensure that information – particularly if it is highlighting vulnerabilities – isn’t misused or exploited by cybercriminals.
“There needs to be a fine balance in terms of how much to disclose to stakeholders versus not disclosing vulnerabilities to external attackers within the reporting itself,” says Yunussov. “Certain information cannot be in the public domain, simply because it can be used to attack organisations.
“That said, there still needs to be information that is disclosed to make sure that investors are confident that a company takes cybersecurity seriously and the business value will not be eroded by weak cybersecurity controls.”
Nearly half (46%) of large companies ($1bn+ revenue) and 43% overall see ESG as essential to their long-term growth. Moreover, reporting on cyber risk metrics can often offer valuable insight into an organisation’s corporate behaviour.
“It’s very positive to see a lot of companies are taking ESG seriously; it’s not just a tick box exercise,” says Yunussov. “But in terms of cyber reporting, we’re still at a very early stage. But there are an increasing number of listed companies being proactive in developing their ESG frameworks and including cyber in their ESG considerations.
“That trend will only continue, so a lot of businesses need to start thinking about how they can implement cybersecurity around ESG.”
The continuity and consistency of those metrics are important – developing the framework, ensuring it’s implemented, and it becomes part of the organisation’s regular reporting.
“It is the responsibility of all Board members in terms of reporting,” says Yunussov. “But if we think about cybersecurity itself, it’s really the responsibility of everyone within the company to make sure that critical data stays secure. It’s everybody’s responsibility to do as much as they can in the current environment.”
*Mazars’ C-Suite Barometer is an annual survey of over 1,000 executives around the world.
This edition of C-speak explores how organisations can harness the latest technology trends while also better identifying, mitigating and reporting on the related risks – risks that current world events have made more pressing in ways we couldn’t have imagined when we first planned this publication.
Feel free to contact one of the team to discuss the issues raised in C-speak.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.